[security-services] Minutes for Telecon, Tuesday 17 September 2002

[Steve Anderson <sanderson@opennetwork.com>]

Minutes for SSTC Telecon, Tuesday 17 September 2002
Dial in info: +1 334 262 0740 #856956
Minutes taken by Steve Anderson

======================================================================
                              Summary
======================================================================

  Votes:
  
    - Minutes from previous meeting accepted (unanimous)
    - TC directs editor of draft-sstc-ws-sec-profile-03 to ensure that
      the IPR issues necessary to submit to WSSTC are dealt with, and
      to submit it as an individual to the WSSTC (unanimous)
    - TC willing to submit draft-sstc-ws-sec-profile-03, in case it must
      be submitted as TC (unanimous)
  
  New Action Items:
  
    - Prateek to check with OASIS folks on submitting 
      draft-sstc-ws-sec-profile-03
    - Rob and Irving to look over Eve's submission on fragment
      identifiers
    - Jeff to determine if conformance language around the notions of
      profiles vs. extensions is really an issue

  Previous Action Items Still Open:
  
    - Scott Cantor to take the XML DSIG discussions from the thread
      and turn it to a "best practices" document
    - Carlisle Adams to take the "Standardize Issuer Format" back
      to the XACML for more clear requirements and/or proposal. 
    - Eve to ask other TCs about how they did their charter
      modifications.

======================================================================
                             Raw Notes
======================================================================

> 
> Agenda:
> 
> 1. Roll call
>

- Attendance attached to bottom of these minutes
- Quorum achieved

> 
> 2. Accept minutes from previous meeting
>

- [VOTE] unanimous consent, accepted

>
> 3. Review of action items (see below)
>
>    A1. Mike Just to submit a proposal on Credentials Collection
>
>    nominally done. see..
>    
>    [security-services] Credentials collection proposal
>    http://lists.oasis-open.org/archives/security-services/
>    200209/msg00007.html
>

- content will be discussed later in this meeting

>
>    A2. Eve Maler to propose changes for fixing the Fragment
>    Identifier issue
>
>    nominally done. see..
>
>    [security-services] Concrete proposal for changes to fix the
>    fragmentID problem
>    http://lists.oasis-open.org/archives/security-services/
>    200209/msg00003.html
>
>    Re: [security-services] Concrete proposal for changes to fix
>    thefragment ID problem
>    http://lists.oasis-open.org/archives/security-services/
>    200209/msg00011.html
>

- discussion is also later on agenda

>
>    A3. Scott Cantor to take the XML DSIG discussions from the thread
>    and turn it to a "best practices" document
>

- Scott: still working, hope to have done by end of week

>
>    A4. Carlisle Adams to take the "Standardize Issuer Format" back to
>    the XACML for more clear requirements and/or proposal. 
>

- [minute taker distracted ... but sounded like this is still open]

>
>    A5. Eve to ask other TCs about how they did their charter
>    modifications.
>

- Eve not on call, still open

>
> 4. Submission of draft-sstc-ws-sec-profile-03 to WSSTC
>

- Jeff: when he stood up at WSSTC to formally submit draft, WSSTC pushed
  back, claiming we had not fully satisfied submission process in the
  area of IPR claims
- Hal: if Sun had simply submitted, it would be simple, but since this
  TC as a whole submitted, it requires more discussion
- Prateek: disagrees
- Hal: makes assertion based on Chris Kurt, who is on OASIS board
- Prateek: cites OASIS web page language
- Joe: 2 items
    - Need to get clearance from named submitters
    - Need to get vote from TC as a whole
- Prateek: will contact other listed authors to get consent
- Jeff: should do it on the list for all to see
- Hal: believes the view was that if the TC submits it, then the TC is 
  the author
- Joe: pinging once again for IPR claim, and will push for formal vote
  to submit this
- If committee as a whole is unwilling to submit, individual authors 
  can submit free and clear
- Rob: reading OASIS Committees guidelines
- rights granted to OASIS are effectively copyrights
- Prateek: this is for a contributed work?
- referenced link:
  < http://www.oasis-open.org/who/intellectualproperty.shtml >
  heading: OASIS.IPR.3.1. All Contributions
- Joe: as part of the agreement to develop work in committee, this work
  is already in control of OASIS
- Rob: tried to argue this at WSSTC, but didn't go over well
- RLBob: recalls that the discussion wasn't over the TC work, it was
  over RSA's claims
- Rob: that was his issue, as he doesn't believe RSA has any statement
  to make
- Jeff: doesn't see anything RSA needs to do either
- Hal: does think there is a desire for RSA to make clear that their
  claims apply equally well to WSSTC
- discussion of inconsistency wrt to ContentGuard claims against the
  XML Token document submitted to WSSTC
- Prateek: would like to take the position that the authors be made 
  aware of the OASIS IPR for contributions, and that after that, we have
  completed our work
- Hal: that begs the question of who the authors are -- the whole TC or
  not?
- Rob: doesn't feel strongly either way, but thinks we can get a TC
  vote through easy enough
- Jeff: there was some question of whether Bob Blakely should be listed
  as author, likewise for Phill
- Phill: doesn't think this whole thing is about SAML and WS-Sec, thinks
  that Chris Kurt has some meta-procedural issues where he wants some
  precedent set
- Rob: would it help to get clarification from Karl?
- maybe
- Hal: if we do three things, they may not all be necessary, but they
  can't hurt, and should be more than enough
    - vote
    - fix authors list to include only people who know they are listed
    - have authors clarify that they have no claims or that licenses
      will be handled same as for TC
- could change to submitting as individuals rather than as TC
- Ron: wouldn't it be simpler to spin off another version, with a subset
  of authors
- Prateek: would call for a vote from TC to direct editor to ensure that
  IP issues are met, and to submit to WSSTC
- RLBob; so moved --
  TC directs editor of this doc to ensure that the IPR issues necessary
  to submit to WSSTC are dealt with, and to submit it as an individual 
  to the WSSTC
- [VOTE] no objections, motion passes
- Ron: will this document, when submitted, be modifiable by the WSSTC?
- yes
- Jeff: suggests the OASIS footer and logo be removed from draft
- Prateek: asserts that this is a draft, created under OASIS committee
- Hal: suggests that Prateek take this up with Karl and Chris Kurt
  directly
- [ACTION] Prateek to check with OASIS folks on submitting draft
- Joe: would like to take secondary vote on TC's willingness to submit
  the draft (in case it must be submitted as TC)
- so moved
- [VOTE] no objections, motion passes

>
> 5. Discussion on fragment identifiers.
>

- Eve isn't on call
- we can either discuss it in her absence or postpone until next call
- looking for volunteer to lead discussion
- Irving: can do it, doesn't think it's complicated
- in SAML 1.1, deprecate old format, and recommend new format with
  a strong SHOULD
- in SAML 2.0, old format would be completely removed, breaking
  backward compatibility (which is allowable in major version)
- Jeff: This was on our plate for SAML 1.1, so next thing to is for
  people to examine this and determine if it is complete, and if so
  slate it for inclusion in 1.1 spec
- need to ensure that new values are complete and exhaustive
- Jeff: raises question of who is editor for 1.1
- consensus is that the lion's share of the work is done
- Rob volunteers to double check completeness, but would like another
  volunteer
- Irving will take a pass as well
- [ACTION] Rob and Irving to look over Eve's submission

>
> 6. Discussion on credentials collection
>

- Mike giving overview
- Prateek: where does challenge response fit into diagram?
    - Mike: probably need additional item on interaction diagram
- Hal: when we decided to defer this, he concluded that using SASL
  caused limitations (as outlined in his recent paper)
    - Believes you cannot fully support TLS client cert or Kerberos
    - His paper laid out what he thought were all the reasonable
      requirements, but doesn't think they can all be covered
    - thinks we should construct some use cases to illustrate what can
      be covered by any approach, and what cannot be covered
 - overall reaction is that this proposal more fully support the 
   weaker forms and less fully supports the stronger forms
- Hal: observes that in this proposal, credentials collector is actually
  performing the authentication
    - thinks that is architecturally undesirable
    - model Hal had in mind was for CC to simply assert what was 
      collected, but not assert any validity -- that is what AuthN 
      Authority does
    - not quite model Carlisle had in mind, was thinking more RA/CA
    - Jeff: leans toward Hal's model
    - Hal: if CC has access to repositories and can validate 
      credentials, what distinguishes it from AA?
    - Carlisle: imagined AuthN Authority just issuing assns of authN
    - Hal: use cases will be useful
    - Carlisle: appears that there's plenty of interest to continue this
      work
    - so we need to clarify what we mean by CC and AA
- Mike: soliciting more feedback on submission

>
> 7. Review of steps towards a SAML 1.x specification release
>

- Carlisle: clarifying that 1.x means 1.1 and we're not releasing
  anything else prior to 2.0
- correct
- Jeff: reviewing minutes of last call ("TODO list" items)
    - rehashing assertion cache discussion
     - TC must determine whether to address in 1.1 or not
    - Carlisle: has just sent msg to list for Standardize issuer name
      formats
    - [ACTION] Jeff to determine if conformance language around the
      notions of profiles vs. extensions is really an issue
    - Jeff thinks formalizing operational agreements is a longer term
      item, but if someone (like Interop participant) wants to 
      investigate further, that would be useful
        - Rob: is this a candidate for a subcommittee?
        - sounds like it
  - Prateek: refers to metadata outlined in Liberty, will examine
    applicability to SAML

> 
> 8. Changes to OASIS TC process, official as of today
>

- Joe reviewing changes
    - there is now restrictions of third party trademarks
    - clarification on membership issues
    - big change to timelines -- monthly rather than quarterly 
      submissions, and review period has been shrunk to 1 month (half
      for review, half for vote)
    - no errata accepted, whole spec must be resubmitted
    - before a TC can submit a spec, there needs to be a public review
      for at least 30 days (similar what we did), during which no 
      changes are allowed
- Hal: other comments
    - more stringent membership procedures, like keeping membership list
      current on web site

> 
> 9. Adjourn
>

- Adjourned


-----------------------------------------------------------------------

Attendance of Voting Members:

  Allen Rogers Authentica
  Irving Reid Baltimore
  Hal Lockhart Entegrity
  Carlisle Adams Entrust
  Don Flinn Hitachi
  Joe Pato HP
  Jason Rouault HP
  Prateek Mishra Netegrity
  Steve Anderson OpenNetwork
  Rob Philpott RSA Security
  Jahan Moreh Sigaba
  Jeff Hodges Sun
  Aravindan Ranganathan Sun
  Phillip Hallam-Baker Verisign
  Simon Godik (individual)
  Bob Morgan (individual)


Attendance of Observers or Prospective Members:

  Scott Cantor OSU
  Mike Just Entrust
  Ron Monzillo Sun


Membership Status Changes:

  Robert Standefer EDS -- granted voting status after call

--
Steve